Securing ADF Applications Using the Oracle E-Business Suite SDK JAAS Implementation

In the previous post on the series of ADF integration with Oracle E-Business Suite,  I covered how to setup and use the Oracle E-Business Suite SDK for Java to create a data source for accessing Oracle E-Business Suite data from our ADF applications in read-only form.

In this post we are going to explore another feature of the Oracle E-Business Suite SDK for Java, the implementation of JAAS (Java Authentication and Authorization Services). Using this implementation we can use E-Business Suite users and roles to restrict access to specific parts of external Java EE applications. You can find a very nice explanation about this feature on the following post from the Oracle E-Business Suite Technology Team blog.

You will need to setup your runtime environment (WebLogic Server) and afterwards configure you ADF application to point to the right resources. Both steps are well explained in My Oracle Support Knowledge Document 974949.1. In this article I will provide a high level overview of the steps that are provided on the document, highlighting areas where it’s easy to make mistakes and hopefully these can help you to get everything working successfully.

Setup

First you need to set up the AppsDataSource on your WebLogic Server server in order establish the communication channel with the Oracle E-Business Suite instance. Follow the instructions from the document in the section Configuring AppsDataSource and Configuring AppsDataSource on Oracle WebLogic Server (WLS):

DataSource

The second step is to create and setup a default realm on WebLogic that enables users and roles provisioning directly from E-Business Suite. In E-Business Suite users and roles are stored in specific database tables, so the new realm will make use of the AppsDataSource defined on the first step. All of the steps are described on the note in the section: JAAS Configuration for Oracle WebLogic Server 10.3.5.0. When setting the realm you need to pay attention to the following steps; if not executed correctly they could cause problems later on:

  • External Authenticator: By default, WebLogic server doesn’t provide the external authenticator which is used to authenticate against E-Business Suite. During the AppDataSource setup you are going to use the fndtext.jar that comes with the patch from My Oracle Support, and you recompile it using the following command:

java -classpath /tmp/mysrc:$CLASSPATH -DMJF=/tmp/mysrc/fndext.jar -Dfiles=/tmp/mysrc weblogic.management.commo.WebLogicMBeanMaker

If the command is executed correctly and doesn’t throw any errors, on creating the new realm you will be able to select ExternalAuthenticator from the list of authentication providers.

  • DataSource: Another area where you  need to be careful  is at the time of specifying which datasource to use for the realm. Make sure the JNDI name that you have given the your AppsDataSource matches the one to be used by the realm.

image

After completing all the steps you should have 2 realms on your WLS, having the newest one as the default one.

realm

ADF Application

An interesting aspect of the integration is that you can leverage ADF Security to use the E-Business Suite JAAS implementation without manually editing configuration files as is the case with Java EE applications.

Please be clear that all the E-Business Suite roles to be used in the ADF application need to be defined as Enterprise Roles. Also, you do not need to create users for the application given that all them would come from Oracle E-Business Suite. However, you could define application-specific roles, but those roles need to map one of the enterprise roles.

When you are ready to deploy make sure you uncheck all the options related to users and groups. You don’t need those.

deployment

Now your application should be working and authenticating against E-Business Suite.

Here is a video that shows an ADF Application using the E-Business Suite SDK for Java JAAS implementation.

Securing ADF Application using the JAAS Implementation of the Oracle E-Business Suite SDK for Java

Related Articles:
AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite

Comments:

Juan,

Thank your for very useful post.
I setup the AppsDataSource in weblogic server for EBS, but I am getting [oracle.adf.share.security.authorization.RegionPermission] Error
when I try to authenticate using my EBS user id. It is definitely accepting my EBS user id and password, but for some reasons
the pages are not displayed.

My Jdeveloper version is 11.1.2.1 and Weblogic Server version is 10.3.6.

I have given proper resource grants for the pages and TFs.

Here is the log from the Weblogic Console:

[JpsAuth] Check Permission
PolicyContext: [null]
Resource/Target: [AppSecurityContext.setApplicationID.EbsSecApp_Project1_EbsSecApp]
Action: [null]
Permission Class: [oracle.security.jps.JpsPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [ACC]
[JpsAuth] Check Permission
PolicyContext: [EbsSecApp_Project1_EbsSecApp]
Resource/Target: [doAsPrivileged]
Action: [null]
Permission Class: [javax.security.auth.AuthPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [SM]
[JpsAuth] Check Permission
PolicyContext: [EbsSecApp_Project1_EbsSecApp]
Resource/Target: [AppSecurityContext.setApplicationID.null]
Action: [null]
Permission Class: [oracle.security.jps.JpsPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [ACC]
[JpsAuth] Check Permission
PolicyContext: [null]
Resource/Target: [AppSecurityContext.setApplicationID.EbsSecApp_Project1_EbsSecApp]
Action: [null]
Permission Class: [oracle.security.jps.JpsPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [ACC]
[JpsAuth] Check Permission
PolicyContext: [EbsSecApp_Project1_EbsSecApp]
Resource/Target: [doAsPrivileged]
Action: [null]
Permission Class: [javax.security.auth.AuthPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [SM]
[JpsAuth] Check Permission
PolicyContext: [EbsSecApp_Project1_EbsSecApp]
Resource/Target: [getSubjectFromDomainCombiner]
Action: [null]
Permission Class: [javax.security.auth.AuthPermission]
Result: [SUCCEEDED]
Subject: [null]
Evaluator: [SM]
[JpsAuth] Check Permission
PolicyContext: [EbsSecApp_Project1_EbsSecApp]
Resource/Target: [org.lakeco.ebs.ui.pageDefs.DeptEmployeePgPageDef]
Action: [view]
Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
Result: [FAILED]
Evaluator: [ACC]
Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@138d107f
CodeSource=file:/oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
Principals=total 2 of principals(
1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
Permissions=(
(java.io.FilePermission /oracle/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar read)
(oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=*,keyName=* *)
(java.lang.RuntimePermission stopThread)
(java.lang.RuntimePermission exitVM)
(java.util.PropertyPermission line.separator read)
(java.util.PropertyPermission java.vm.specification.version read)
(java.util.PropertyPermission java.vm.version read)
(java.util.PropertyPermission java.vendor.url read)
(java.util.PropertyPermission java.vm.specification.vendor read)
(java.util.PropertyPermission java.vm.name read)
(java.util.PropertyPermission os.name read)
(java.util.PropertyPermission java.vm.vendor read)
(java.util.PropertyPermission path.separator read)
(java.util.PropertyPermission os.version read)
(java.util.PropertyPermission java.specification.name read)
(java.util.PropertyPermission mds.store.filesystem.path read)
(java.util.PropertyPermission os.arch read)
(java.util.PropertyPermission java.version read)
(java.util.PropertyPermission java.class.version read)
(java.util.PropertyPermission java.vendor read)
(java.util.PropertyPermission file.separator read)
(java.util.PropertyPermission java.vm.specification.name read)
(java.util.PropertyPermission java.specification.version read)
(java.util.PropertyPermission java.specification.vendor read)
(oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:* Actions:getApplicationPolicy)
(java.net.SocketPermission localhost:1024- listen,resolve)
)
Call Stack: java.security.AccessControlException: access denied oracle.adf.share.security.authorization.RegionPermission/org.lakeco.ebs.ui.pageDefs.DeptEmployeePgPageDef

I have also posted the jazn-data.xml and weblogic config.xml in the OTN forum (https://forums.oracle.com/forums/thread.jspa?messageID=10330198&#10330198).

I think I made some mistakes in the jazn-data.xml. But I am not sure what I am missing.
I have opened an Oracle SR on this, but not getting any help from the support.

If you could look into this that will be great.

Thanks,
Siva

Posted by Siva on May 11, 2012 at 09:28 AM PDT #

Thanks for the good post Juan.

Do you know if the ADF built-in application role of anonymous-role is supported by the Oracle E-Business Suite SDK JAAS Implementation? When I deploy my application to a domain that is configured to use the Oracle e-business suite SDK JAAS implementation - my pages that are granted view access to anonymous-role seem to direct me to the JAAS login page.

Posted by guest on May 31, 2012 at 12:19 PM PDT #

The anonymous-role does work with the E-Business Suite SDK JAAS implementation. In this case the issue turned out to be with the policy deployment to the standalone weblogic server. Verify the jazn-data.xml information for your application is being added to the system-jazn-data.xml as part of the deployment to the standalone weblogic server. If the policy information is not in system-jazn-data.xml you will be able to login, but will get 403 authorized errors within the browser - and you will be prompted to login to reach even a page which is granted view access to the anonymous-role since the application server does not have visibility to the policy information.

Posted by guest on June 06, 2012 at 07:00 AM PDT #

Hi Juan,

The AppsDataSource/EBS SDK has been working fine for us so far. Thanks for your help again.

We are almost ready to go live with our ADF application but, we have a small problem with user management in EBS to fix.

Currently EBS SDK supports only UMX|Roles, so we want to assign Custom ADF Application Role (UMX|POADFACCESS) to all the users of a particular custom responsibility. This responsibility contains more than 400 users. So, assigning the ADF UMX role to all the users manually is not feasible.
Is there any API in EBS R12.1.3 that I can use to assign a particular UMX|Role to a user or a responsibility?

Pls let me know.

Thanks

Siva

Posted by guest on June 22, 2012 at 02:04 PM PDT #

Hi Siva,

I don't have an environment set upi to try this out myself, but I believe that if you add the Custom ADF Application Role (UMX|POADFACCESS) *TO* the existing custom responsibility, that should allow the UMX|POADFACCESS to be passed through to ADF for all users of the custom responsibility. So it should just be the one administrative task to add the role to the responsibility.

Would you please let us know if this solves your issue?

Thanks,

Sara Woodhull (Product manager for the EBS SDK)

Posted by Sara Woodhull on June 26, 2012 at 04:53 PM PDT #

hi i am using web sphere based application Jaylor can we configure SDK with it since we want to use EBIZ native security model using user management. What are similar configuration steps for it ?

Posted by Rahul on July 16, 2012 at 03:53 PM PDT #

Hi Rahul,

Is your application built with ADF and deployed on Websphere? or is it a Java EE application that you want to connect?

Thanks

Juan Camilo

Posted by guest on July 16, 2012 at 05:20 PM PDT #

The scenario goes as follows.

I have a web page with different tabs.
Everything is access based.
The user with access “1”, should view only first tab on the home page.
The user with access “2”, should view first and second tab
The user with access “3”, should view only second tab
The user with access “4”, should view only third tab.

How can I do this?
I guess Manage bean should be written, but could you please guide me in this?

Posted by PS on September 04, 2012 at 03:00 AM PDT #

Ps,

ADF Security enables you to define all those permissions in an easy and declarative way. I suggest you check the following article that shows how to implement ADF Security.
http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html

Also if you have questions about it you could post them onto the JDeveloper Forum, I assure you will get lots of help there too.
http://forums.oracle.com/forums/forum.jspa?forumID=83

Cheers,

JC

Posted by Juan Camilo Ruiz on September 26, 2012 at 10:26 AM PDT #

Hi Juan,

We would like to know the feasibility of implementing authentication of Imaging application with Oracle E-Business Suite SDK JAAS Implementation.
Can you please let us know if any customers have implemented this feature of getting EBS users and Roles into IPM?

Regards,
Ravi

Posted by Ravi on December 25, 2012 at 09:19 PM PST #

Hi Ravi,

No I´ve not been contact by any customer working with IPM. However, the right technology to use depends on what you exactly want to implement and what level of integration you want to have with EBS. I recommend before moving forward with the project you check the following recorded webcast:
http://oukc.oracle.com/static09/opn/login/?t=checkusercookies%7Cr=-1%7Cc=1249500448

Cheers,

Juan Camilo

Posted by Juan Camilo Ruiz on January 23, 2013 at 05:01 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

me
A blog that explores features, tips and tricks of ADF and JDeveloper by Juan Camilo Ruiz, Product Manager on the ADF and JDeveloper team
Follow me:
Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today